Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Is this okay!? DevSecCon ⚡ 2022

2. Feb 2023
0 gefällt mir 6 Aufrufe
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
NDC Security 2023
NDC Security 2023
Wird geladen in …3
×

Hier ansehen

MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
Steve Weissman - 5 Keys to Managing Information as an Asset
ARMA International
SL_Long Beach_Creative Artists_12_04_2015
Jon Papp
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
Jason Hong
Making use of online resourse for research
Nila Shah
2016 ISACA NACACS - Audit Privacy Considerations
Nathan Anderson
Kaseya Kaspersky Breaches
Kaseya
Digital Analytics and Listening Tools
Skot Waldron
1 von 19 Anzeige

Is this okay!? DevSecCon ⚡ 2022

2. Feb 2023
0 gefällt mir 6 Aufrufe

Herunterladen, um offline zu lesen

Software

You've got some code from a team member to review. You already know that security is important, but do you know how to review their code for security issues? In this session, Rouan will equip you to find common security issues before they're shipped to production. He’ll cover eight questions you should ask yourself whenever you’re reviewing code.

You've got some code from a team member to review. You already know that security is important, but do you know how to review their code for security issues? In this session, Rouan will equip you to find common security issues before they're shipped to production. He’ll cover eight questions you should ask yourself whenever you’re reviewing code.

Software
Anzeige

Empfohlen

NDC Security 2023
rouanw
6 Aufrufe
24 Folien
7 Pillars Of Data Strategy - High Five 2018
Evan Levy
1.5k Aufrufe
52 Folien
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Steve Poole
198 Aufrufe
90 Folien
Janitor vs cleaner
John Stauffacher
765 Aufrufe
44 Folien
Big Data Big Ideas: Data is the New Oil, Privacy is the New Green
Aurélie Pols
1k Aufrufe
37 Folien
Next generation pentest your company cannot buy
Vlad Styran
948 Aufrufe
23 Folien
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
UISGCON
1.3k Aufrufe
23 Folien
Its time to grow up by Eric C.
ISSA LA
575 Aufrufe
26 Folien
Anzeige

Weitere Verwandte Inhalte

Ähnlich wie Is this okay!? DevSecCon ⚡ 2022 (20)

MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
2.9k Aufrufe
Steve Weissman - 5 Keys to Managing Information as an Asset
ARMA International
256 Aufrufe
SL_Long Beach_Creative Artists_12_04_2015
Jon Papp
123 Aufrufe
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
Jason Hong
147 Aufrufe
Making use of online resourse for research
Nila Shah
12.8k Aufrufe
2016 ISACA NACACS - Audit Privacy Considerations
Nathan Anderson
328 Aufrufe
Kaseya Kaspersky Breaches
Kaseya
2.8k Aufrufe
Digital Analytics and Listening Tools
Skot Waldron
2.9k Aufrufe
Cyber threat intelligence: maturity and metrics
Mark Arena
9.3k Aufrufe
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...
Forcepoint LLC
122 Aufrufe
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
Jason Hong
327 Aufrufe
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
LERNER Consulting
294 Aufrufe
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
LERNER Consulting
235 Aufrufe
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
i-Sight
915 Aufrufe
Anomaly Detection and You
Mary Kelly Rich
171 Aufrufe
Healing healthcare security
Barry Caplin
431 Aufrufe
Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...
Linuxmalaysia Malaysia
490 Aufrufe
Fostering an Ecosystem for Smartphone Privacy
Jason Hong
101 Aufrufe
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Wendy Knox Everette
232 Aufrufe
Dull, Difficult, and Essential: Managing Public Records
Paul W. Taylor
694 Aufrufe
MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
2.9k Aufrufe
36 Folien
Steve Weissman - 5 Keys to Managing Information as an Asset
ARMA International
256 Aufrufe
37 Folien
SL_Long Beach_Creative Artists_12_04_2015
Jon Papp
123 Aufrufe
16 Folien
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
Jason Hong
147 Aufrufe
81 Folien
Making use of online resourse for research
Nila Shah
12.8k Aufrufe
53 Folien
2016 ISACA NACACS - Audit Privacy Considerations
Nathan Anderson
328 Aufrufe
51 Folien

Weitere von rouanw (20)

Fail better with QA in Production
rouanw
738 Aufrufe
Qa in production singular 2019
rouanw
108 Aufrufe
How to review a pull request
rouanw
445 Aufrufe
Rouan's design principles
rouanw
78 Aufrufe
The curious case of the production incident
rouanw
351 Aufrufe
QA in Production: The tests we never wrote and the production monitoring we u...
rouanw
509 Aufrufe
Organised chaos: real-world JavaScript microservices
rouanw
683 Aufrufe
Contributing to open source is easier than you think
rouanw
428 Aufrufe
How to write a blog post
rouanw
399 Aufrufe
QA in Production
rouanw
719 Aufrufe
Dashboards: Using data to find out what's really going on
rouanw
4.8k Aufrufe
Tech lead tips
rouanw
778 Aufrufe
DevOps Culture
rouanw
1.7k Aufrufe
Techniques for stress free software releases
rouanw
768 Aufrufe
Be a polyglot programmer
rouanw
550 Aufrufe
Emergent design - PHP Jo'burg 2015
rouanw
839 Aufrufe
Infrastructure as code
rouanw
579 Aufrufe
ThoughtWorks Tech radar Jan 2014
rouanw
1.2k Aufrufe
Continuous Integration
rouanw
385 Aufrufe
May 2013 ThoughtWorks Tech radar
rouanw
549 Aufrufe
Fail better with QA in Production
rouanw
738 Aufrufe
37 Folien
Qa in production singular 2019
rouanw
108 Aufrufe
37 Folien
How to review a pull request
rouanw
445 Aufrufe
31 Folien
Rouan's design principles
rouanw
78 Aufrufe
19 Folien
The curious case of the production incident
rouanw
351 Aufrufe
35 Folien
QA in Production: The tests we never wrote and the production monitoring we u...
rouanw
509 Aufrufe
31 Folien
Anzeige

Aktuellste (20)

Not a book
robertseverino5
0 Aufrufe
The World Almanac and Book of Facts 2021
lindalee974
0 Aufrufe
FTA_S4_HANA_Finance_Overview_V2.pptx
ssuser617903
0 Aufrufe
The Nickel Boys
lindalee974
0 Aufrufe
The Elder Scrolls: The Official Cookbook
lindalee974
0 Aufrufe
The Eye Book
lindalee974
0 Aufrufe
The Complete Guide to Wiring
lindalee974
0 Aufrufe
Cuenta Con Dr. Seuss 1 2 3
carolynguyen
0 Aufrufe
The Knot Ultimate Wedding Planner & Organizer [
carolynguyen
0 Aufrufe
ljug-meetup-2023-03-hexagonal-architecture.pdf
Comsysto Reply GmbH
0 Aufrufe
What is Sales Management.pdf
Elatesoft
0 Aufrufe
Student Management System presentatio.pptx
rohanthombre2
0 Aufrufe
Llama Llama Easter Egg
carolynguyen
0 Aufrufe
The YouTube Formula: How Anyone Can Unlock the Algorithm to Drive Views, Buil...
carolynguyen
0 Aufrufe
Finding a Way: Six Stories on Fear, Heroism, and New Beginnings
robertseverino5
0 Aufrufe
Timelines of Everything
carolynguyen
0 Aufrufe
WOLFPACK: How to Come Together, Unleash Our Power, and Change the Game
robertseverino5
0 Aufrufe
Lesson 01.ppt
sugandika1
0 Aufrufe
The Color of Law: A Forgotten History of How Our Government Segregated America
carolynguyen
0 Aufrufe
Sticker Puzzles: In the Wild (Brain Games - Sticker by Letter)
robertseverino5
0 Aufrufe
Not a book
robertseverino5
0 Aufrufe
1 Folie
The World Almanac and Book of Facts 2021
lindalee974
0 Aufrufe
1 Folie
FTA_S4_HANA_Finance_Overview_V2.pptx
ssuser617903
0 Aufrufe
23 Folien
The Nickel Boys
lindalee974
0 Aufrufe
1 Folie
The Elder Scrolls: The Official Cookbook
lindalee974
0 Aufrufe
1 Folie
The Eye Book
lindalee974
0 Aufrufe
1 Folie

Is this okay!? DevSecCon ⚡ 2022

  1. 1. Is this okay!? Rouan Wilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues
  2. 2. Too much pressure Code reviews are great for catching issues but they can’t be the only thing. - Build awareness 💬 - Threat modelling 🐉 - Pen testing 🔦
  3. 3. Where’s the input going? - Is there new input? - Have we changed the way input is handled? - Where it’s stored? - How it’s used later? 1 .
  4. 4. Are the right AAA checks in place? - Authentication - have we checked the actor is who they say they are? - Authorisation - have we checked they’re allowed to do this? - Auditing - have we made a note of what happened? 2 .
  5. 5. Have the assets changed? Are we storing any personal or special information? E.g. - Emails - Health info - Credit cards - Racial or ethnic origin - Political or religious info 3 .
  6. 6. Are you leaking data? - Is your API returning extra bits? - Are you logging stuff you shouldn’t? - Don’t keep anything you don’t need 4 .
  7. 7. Any new dependencies? Do some research on new dependencies. Are they: - Trusted - Popular - Well maintained - Do you really need it? 5 .
  8. 8. Has the config changed? - Misconfiguration is a super common cause of security issues - If your config isn’t code, you can’t review it! 6 .
  9. 9. Is anything being cached? - Don’t show one user’s sensitive info to another! - Everyone should understand the default cache behaviour - Good cache keys 7 .
  10. 10. Have you checked the borders? Handy trick if you’re short on time is to focus on where data enters and leaves your system - e.g. where a web request comes in and where we talk to a database. 8 .
  11. 11. A few tricks that helped me learn Find your security mentor Turn up at post mortems Smashing Security Podcast Offer help during pen tests Find a security course online
  12. 12. 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . Inputs AAA Asset type Data leaks Dependencies Boundaries Config Caching Reviewing code for security issues – Cheat Sheet @rouanw
  13. 13. Is this okay!? Rouan Wilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues

×